????[AppScan]????????????ò??????HTTP???? ???У?
?????????????
????“???????????? HTTP ????”????“??”Σ???????????????????APPSCAN????棬APPSCAN???OPTIONS??????????з???DELETE??SEARCH??COPY????????????????????????????
?????????飺?????3???????
????1.????WebDAV??????????????????????μ?????????
????2.???URLSCAN????OPTIONS?????????????????????С?????Χ??URLSCAN?????и????á?
????3.???URLSCAN????OPTIONS??????HTTP???????????????GET/POST/HEAD???????????????????????

????[AppScan]???????????????дδ????????ν???? HTML ???? ?????
?????????AppScan ?????????????????????????д?????
?????????飺??“autocomplete”????????????“off”
????[AppScan]??????????HTML?????????й????ο??????
???????飺??????????????????????/????????????????????????????????????????????в??????????????

????[AppScan]??????????????δ???£???Σ??
?????????????
????“?????δ????”????Σ?????AppScan?????“??????”????Cookie?????л?????е?JSESSIONOID??JSP?????? ASP.NET_SessionId??ASP?????м????????????????????cookie????????з????仯?????ж??“?????δ????”?????
?????????飺
????JSP???????????ο???λ?????????£? http://www.2cto.com/Article/201302/190227.html
??????????????????δ???
????request.getSession().invalidate();//???session
????Cookie cookie = request.getCookies()[0];//???cookie
????cookie.setMaxAge(0);//??cookie????
??????????????????????????????????μ?session???
????ASP?????????????ο????′???????????????????????????3?д????Cookie??????????????SessionId??Ч????
protected void btnLogin_Click(object sender?? EventArgs e)
{
//????SessionId
Session.Clear();
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId"?? ""));
//????ж?
if (check(txtName.Text??txtPassword.Text))
{
FormsAuthentication.SetAuthCookie("admin"?? false);
Response.Redirect("Default.aspx");
}
????“?????δ????”??Σ????
?????????????????????????XSS?????????Id???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????